Static analysis tools are often used by computer software developers to provide information about computer software while applying only static considerations (i.e., without executing a computer software application). In one type of static analysis, data flows are traced within a computer software application from “sources,” being application programming interfaces (API) that introduce “untrusted” input into a program, such as user input, to “sinks,” being security-sensitive operations such as modifying a database. Such flows are identified as security vulnerabilities that may require remediation, typically by ensuring that a flow that is identified as a security vulnerability encounters a “downgrader” that validates and/or sanitizes untrusted input, such as by checking whether the input contains illegal characters or is in an illegal format, both common tactics used in malicious attacks. Static analysis tools that identify security vulnerabilities typically provide computer software developers with a short description of each type of security vulnerability found, and may even provide sample code snippets that may be used by the developer to construct a downgrader for remediating the security vulnerability.
In addition to identifying a security vulnerability and deciding what type of downgrader to use for its remediation, deciding where to locate a downgrader within a data flow is a matter of importance as well. Misplacement of a downgrader may leave the original security vulnerability in place or cause other problems. Also, in order to maximize code quality and maintainability, it is desirable to apply as few code changes as possible.